Hacker News new | past | comments | ask | show | jobs | submit login
File Says N.S.A. Found Way to Replace Email Surveillance Program (nytimes.com)
216 points by hackuser on Nov 20, 2015 | hide | past | web | favorite | 54 comments

Maybe my reading comprehension isn't so sharp today, but I found this article difficult to parse. So I looked at the disclosed set of documents.

Basically, the series of documents are NSA OIG and Congressional reports about the email surveillance program that was shuttered in 2011. It provides a bit more information than was previously available under the original leaks in 2013.

What the author of this article is trying to express is the idea that the NSA was able to resume the function of the email metadata program (they call it PR/TT, or Pen Register / Tap Trace) with some other secret program. The NYT alleges that a paragraph on page 65 links this defunct program with the upstream collection and the PRISM (both FAA §702) programs. It's stated in the paragraph that the NSA concludes that it can do its job with upstream/PRISM and for phone calls, chaining through the telephony metadata collection (SPCMA).

TL;DR: The NSA stopped using the email metadata program and then relied on upstream/PRISM and the telephone metadata program to fulfill the need. The NYT got some FOIA'd documents to confirm this with an official statement.

So I thought that the article was misleading in that it attempts to link an email metadata program which applied to all email communication, including U.S. persons with two different programs (upstream and PRISM) which only authorize collection of targets that are not U.S. persons and are outside of the U.S., and have a valid foreign intelligence purpose.

It's certainly possible that the NSA simply disregards the laws and collects on everybody. However, there isn't any evidence of that here.

Kudos on the NYT for winning their lawsuit and getting the documents through FOIA, though.

>It's certainly possible that the NSA simply disregards the laws and collects on everybody.

The NSA is almost certainly engaging in full-take domestic content collection on everyone—including US citizens. If I had to guess, they're probably staying within the letter of the law while doing so via a combination of legal maneuvering and secret authorizations.

Consider Tim Clemente's on-air remarks, and the fact NSA has been been playing semantics games with the definition of "collection" such as to conflate it with the act of accessing information that's already present in storage.[0]

Also consider that Russ Tice has stated multiple times that full-take domestic content collection was occurring as recently as 2013.[1]

Moreover, what Snowden leaked was primarily from JWICS, which is arguably a glorified PowerPoint repository for the intelligence community. There are more sensitive networks, and it stands to reason that the lurid details of full-take domestic collection would probably be heavily compartmented, not floating around in clear unambiguous form on something like JWICS.

The whole metadata discussion is a bullshit facade. NSA is essentially offering up deprecated programs and their associated policy frameworks for sacrifice on the political altar. This serves to protect their current programs via way of misdirection, providing an illusion of reform.

[0] http://blog.rubbingalcoholic.com/post/52913031241/its-not-ju...

[1] 9:49, 1:13:29 @ http://www.boilingfrogspost.com/wp-content/uploads/BF.0112.T...

The real secrets and "keys to the kingdom" are "Eyes only" compartmentalized deep within ECI/VRK compartments. I sincerely doubt the NSA would ever keep a record of some of the sensitive things they do. The big thing with the Snowden leaks was the NSA did not know if he got evidence of full content collection at first and now that it is apparent he didn't, the discussion regarding the NSA is limited to only "Metadata" collection

The NSA has already said that:

1) all encrypted data is considered "foreign" and therefore all is collected (as if they couldn't see that metadata for that encrypted content...). So if you use Gmail or Facebook you're a foreigner.

2) if there's a >51% chance (flipping a coin) in their algorithm that the target is a foreigner (based on metadata, presumably) then the data will be collected.

3) EFF and others (I think Ron Wyden, too, who is in the Intelligence Committee) have said that the NSA is doing "backdoor searches" on Americans by interpreting the law as "if you communicate to a foreigner they can collect yours, too" - So if you have foreigner Friends on your Facebook or Twitter and you "like" or talk to them, your data will likely be collected.

4) When asked whether it collects the data on members of Congress, I don't remember the exact reply but it was something along the lines of "probably, since we collect it on everyone".

Knowing this (and there are other such answers from them), you have to be very naive to believe the NSA is only collecting the data at most on a small percentage of Americans.

From what I saw in other articles, the NSA started collecting the data from overseas so it can pretend it's doing nothing illegal - or something.


History has demonstrated that activities performed in any particular program the NSA claims has been discontinued is typically replaced in another program.

Then Spokesmuppets in front of congress can claim "we do not X under this program", or make similarly carefully-parsed statements, and not technically be lying.

This has happened repeatedly.

Not wittingly.

the interesting part about that quote is that he then sent a letter to congress telling them that it was "the least untruthful" thing he could say at the time.

And got their agreement to that narrative, which got him out of lying under oath to congress. There will be stories written about this man someday. the way we write about Goebbels.

no. it stops being perjury when the agreement of all parties is that his testimony was truthful enough.

Spokesmuppets - awesome description for them.

So, basically: the NSA lets (say) GCHQ collect data on Americans, and taps into it; conversely, NSA collects data on Brits and lets GCHQ tap into it. Voila! Both have satisfied their "legal" obligations, and yet have all the data they need.

It doesn't work that way. "Stealing" data on Americans from GCHQ is just as illegal as collecting it themselves. They aren't allowed to have the information without legal authorization.

Couldn't the NSA just ask the GCHQ to run specific queries (or entire programs/algorithms) against their data and share any intelligence gained?

Lol, like they give a fuck

I thought we were already under the assumption that this was what FVEY's was doing.

Thise of us paying attention have known this since the late 90's, but were mostly called conspiracy theorists when we tried to talk about it in public.

I'm in that boat unfortunately but it goes back to the 80's for me - heard right wing conspiracy stuff from old people who were getting it from the radio and everyone called them crazy... then the 90's, to 2000's aaaand now its real.

That whole paragraph creeps me out i try to avoid this whole discussion now because I don't like observing anymore - I'd like to completely check out of it. The mass murder stuff is horrifying and I hate that its a part of my reality, and worse yet my kid has to see that shit on the news, and other kids have to live it. People need to let ideologies go and work towards space travel peace. If all the other bad stuff has become a reality, I just hope the star trek future we were promised can come true ;)

edit: by part of my reality i mean via the news as well - it hasn't directly affected me thankfully.

It's just such an elusive pattern. The NSA wants to collect information about digital comms AND they have the ability to eavesdrop/split network traffic at the infrastructure level... I just know there's something there -- there's SOME kind of link between those two concepts -- but I can't quite connect the dots yet.

Oh well, this will be a good data point, so I'm glad to know this one particular thing isn't some kind of conspiracy theory (always have be careful about those conspiracy theories; they're just so tone deaf and reactionary).

On Panda, the title is cropped to "File Says N.S.A. Found Way to Replace Email" which made me think that the N.S.A. had a Slack competitor.

I bent (flexed?) the HN rules a little when I submitted this story. The actual headline in the NY Times is "File Says N.S.A. Found Way to Replace Email Program" but like you I didn't know what to make of it - I guessed someone learned the NSA was putting fake Gmail or Outlook on their targets' devices. So I changed it to "File Says N.S.A. Found Way to Replace Email Surveillance Program".

So collecting the same data on US citizen outside the US makes it Ok? Seems checks and balances are really working to protect US citizens in their papers and effects.

ANY government entity, from your local town cops to the IRS can read your email without a warrant - if it is at least 6 months old.

That law is over a decade old.

Unless you are hosting your own server and don't store your mail on a third party in the cloud (but that is probably true for all your data that is hosted by a third party, not just email)

Yup. And exactly why the next president after that law was signed setup their own private email server in their home.

I have no idea why there weren't a million news stories about WHY you should setup your own private email server in your home and how to do it.

In fact a startup might find the perfect sales pitch to have a plug-and-play mail server for your home. $100 shipped to your door, plug it into your router and give it a domain name.

Gmail likely has most of your emails due to the fact that many people use it. See for example this analysis[0], where the author says that over 50% of his emails have transited on a Gmail-owned server.

[0] https://mako.cc/copyrighteous/google-has-most-of-my-email-be...

The long-term effect is that it destroys email, just like they are destroying SSL, DNS, and many other building bricks of the internet, which are gradually getting replaced by alternatives that are more difficult to subvert. For example, shutting down Napster only lead to the emergence of bittorrent. I am not against it. I think that this type of arms race cannot be avoided. So, let's embrace it.

Arms races are rarely good for anyone. This one in particular will only make it harder for everyone to do their jobs. Law enforcement will find it impossible to execute perfectly-legal search warrants. Corporations will be subject to ever-more-onerous demands by their customer bases for security against imagined adversaries with the resources of nation-states. Regular civilians will find themselves bewildered by an array of security choices but no real help in determining what's important and what's not, not to mention will still be vulnerable to theft of secrets not even in their control.

The nuclear arms race went ok because both main parties were rational, realistic professionals with no desire to see chaos reign. That's not the case with all parties seeking nuclear weapons today. Nobody's worried about MAD anymore, but the chances of someone, somewhere detonating a nuclear weapon on a populated area is just as high as it ever was. There's no reason to be embracing anything, however inevitable it may look.

Well, either way, Canada or UK can always do the job for them if plan B doesn't work out.

Really hoping to find out it's all implemented on top of Kafka.

The NSA either fights for the american people or it fights against them. Currently the NSA is fighting against me, an ameician citizen.

They will not stop, unless we stop them.

Surprise! (not)

The NSA conversation is tiring. The NSA is a powerful agency with billions of unaccounted dollars. It will do what it wants. Why discuss its motives?

Perhaps we could better spend our time ensuring we trust our fellow Americans enough that they would not allow a cancerous facism to spread throughout the "shadow government" of the executive branch. In other words, trust they will look out for our best interests and will resist any movement to establish a tyrannical government.

Why can't we just trust the NSA?

Why can't we just give up several rights and insanely powering information to NSA and blindly hope that they will do "the right thing" with it with no transparency? I really hope this is a minority opinion. I would also like to remind people that a lot of services are hosted in the USA and the world at large is also affected by this... The rest of the world should definitely not "just trust" the NSA.

>that they would not allow a cancerous facism to spread

The reason the rest of the government has a system of checks and balances is because humans can't be trusted to not get out of control when it comes to power. The NSA has none of this so they will keep expanding their power as much as they can.

Because we can't trust our fellow Americans that much. You can plainly observe the current anti-Muslim, anti-refugee rhetoric and make that assessment yourself. You remembered what public discourse was like right after 9/11. The NSA's dragnet surveillance would be of great help in, say, Donald Trump's recommendation to make a database of all US Muslims.

It does seem like his anti-illegal alien rhetoric could easily be shifted to Muslims. Either way shenanigans do seem to be afoot with that whole thing. I feel like I'm living in a cartoon these days.

Maybe potential applicants to the NSA should be required to have a "trust score" above a certain threshold, according to a certain algorithm, democratically programmed by the People.

and diligently applied by a contractor

We can just trust the NSA because they have shown themselves to be untrusthworthy. They already used information on innocent people for personal purposes.

One huge peice of evidence that we can actually trust the government is that the Bush era DOJ threw a fit when the workers thought Bush's NSA went to far. Then we had a national debate about it.

Plus even if you didn't trust the government not to go fascist they could recreate a NSA within a few months anyway.

They wouldn't even need that. They'd roll tanks down to Google/Facebook HQ and have recreated it within 30 minutes. That's the absurdity of the commercial/government dichotomy approach to privacy: any government that would routinely use surveillance information against ordinary people would have no problem raiding the offices of internet/telecom companies who have all that data anyway.

The main reason people have a hard time trusting them is because they aren't always completely honest with us... which isn't a great way to get trust from your citizens.

If the NSA publicized all its internal decision making processes, it would interfere with its own job.

Should any American citizen expect detailed documentation on the intelligence apparatus operating within the NSA? Wouldn't such disclosure jeopardize ongoing operations? The NSA has no obligation to reveal anything more about its operations than federal law requires it to. The legislative branch has the responsibility of enforcing any requirements placed upon the NSA.

The legislative branch is responsible for checking the power of the executive branch, which includes the NSA. That is why congress regulates its operations, and enforces the regulations with specialized committees.

Unfortunately, even if congress can tightly regulate the NSA, it cannot publicly enforce its regulations. Public enforcement would jeopardize ongoing operations within the NSA. If Congress limited its regulations to only those that it could publicly enforce, then it would restrict the scope of the regulations, making it impossible to properly check the power of the NSA.

Given the catch-22 of asking congress to regulate the NSA, but in a publicly provable manner, we are left with two choices: sacrifice the intelligence apparatus altogether, or continue funding it while trusting the regulatory power of congress.

Ultimately the power of the NSA depends on the power of its overseers on the intelligence committee. A powerful group of senators and congressmen could enforce regulations on the NSA.

The challenge is finding trustworthy congressmen, who are capable of regulating the NSA. Americans should really stop worrying about the behavior of the NSA, and start worrying about electing the right congressmen to ensure the NSA is operating for the best interest of the American people.

> The NSA has no obligation to reveal anything more about its operations than federal law requires it to.

You're starting from the assumption that current federal laws are moral and just.

It's a tautology to say "they are [legally] obligated to do what they're legally obligated to do" No one would disagree with you on that. The point of the discussion and debate is about what they _should_ be legally obligated to do.

The problem is that since the dawn of our Republic when our current system of checks and balances was put into place, the intelligence apparatus has grown much larger and more powerful than I think anybody really could have ever expected. And because of their secrecy and vagueness, it has become impossible to actually get a sense of the real benefit of our intelligence operation.

If it's a choice between the unknown benefit/cost of compromising the NSA's operations (through greater transparency) and the current situation (our civil liberties being threatened more and more every day), I would choose the former.

The system of accountability is completely outdated and unbalanced in favor of the intelligence apparatus.

If the NSA publicized all its internal decision making processes, it would interfere with its own job.

Should any...


and so on...

False Dilemmas across the board, utterly without nuance. Sprinkle in some, "Welp, that's the law!" nihilism (or complicity) to taste.

There is no evidence that the NSA is any good at its job. It ought to be eliminated. This is an easy decision, because its programs or odious or undemocratic, but because it is a useless waste of taxpayer money.

The Information Assurance Directorate is good at it's job, surely they shouldn't be eliminated

Lie to Congress as a baseball player? Goto jail (in your house).

Lie to Congress as head of NSA? Retire?

More like take those secrets developed with public money and turn it into a personal consulting firm complete with rubber-stamp from the NSA that you're not infringing "their" ip.

"Why can't we just trust the NSA?"

In that case, why not just trust Daesh ?

Registration is open for Startup School 2019. Classes start July 22nd.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact